• Security breach and apparent data leak put SK Telecom into a tailspin
• But South Korea’s biggest mobile operator says it’s determined to right the ship, re-establish trust and be reborn as “faithful to the basics and responsible”
• Even if that means replacing up to 23 million SIM cards 
• But customers are abandoning the SK Telecom ship

South Korea’s SK Telecom (SKT) is scrambling to reassure customers in the wake of a disastrous security breach and data leak that occurred on 19 April and has led to much soul-searching for the telco as well as, reportedly, the loss of tens of thousands of mobile service customers in the aftermath. 

SKT’s problems started when it discovered that malware had infected its Home Subscriber Server (HSS) and an unknown volume of critical SIM-related information was extracted by the hackers, including authentication keys for up to 23 million SK Telecom mobile subscribers. The telco promptly reported the leak to the Korea Internet and Security Agency (KISA) on 20 April and to the Personal Information Protection Commission on 22 April, since when the company has been forced into a series of rear-guard actions that will generate a cold sweat on the brows of its mobile operator peers.  

The breach presented a conundrum: In theory, any data illegally gathered could enable SIM card cloning, identity theft and unauthorised access to bank accounts. But since there was no way of knowing how much data had been collected and what nefarious use was likely to be made of it, it was impossible to assess the risk facing individual SIM customers. Therefore, invoking an instant replacement programme for all the SIMs might have caused more confusion, panic and delays than a more measured step-by-step process, though the latter could also be construed as lacking in urgency. 

So SKT announced it had invoked protection measures, including strengthening its fraud detection system (FDS) and implementing a SIM card protection service in an effort to prevent illegal SIM card duplication. It also promised a full get-to-the-bottom-of-it-all investigation to find culprits, prevent a recurrence, and assure its customers that it was doubling down on security. 

But as it clearly couldn’t absolutely guarantee that fraudulent activity wouldn’t result from the breach, it also offered replacement SIM cards to all 23 million customers and, in order to prevent an overload at its stores, set up a free SIM card replacement reservation system for customers to book a time (from 28 April onwards) at which they could collect a new SIM from one of SKT’s 2,600 retail outlets. 

However, that plan has major challenges as SKT only has 1 million SIM cards in stock and will have to wait for more, according to The Korea Times. 

And, as a result of such delays and concerns about data security, SKT has already lost more than 70,000 customers to rivals, reported The Korea Herald. In addition, SKT’s share price has plunged by more than 5% in the past week. 

Subsequently, SKT unveiled exactly what data had been stolen. “According to the first investigation results by the Ministry of Science and ICT on 29 April, SIM card information, such as subscriber phone number and IMSI (multiple mobile subscriber identity number), were leaked, but the international mobile equipment identity number (IMEI)”, a unique 15-digit serial number that identifies a mobile device, was not leaked. SKT also noted in this announcement (in Korean) that the ministry stated that customers who subscribe to SKT’s SIM card protection service “can prevent illegal activities, such as duplicating the SIM card with the leaked information and inserting it into another phone (so-called SIM swapping).” 

According to Business Korea, almost 10 million SKT subscribers have signed up for the SIM card protection service so far.

SKT also noted that, as of 29 April, “no criminal damage has been confirmed due to this breach,” but the operator’s CEO, Ryu Young-sang, who appeared as a witness at the National Assembly’s Science, ICT, Broadcasting and Communications Committee on 30 April, acknowledged that the breach was “the worst hacking case in the history of the telecom industry,” reported Korea JoongAng Daily.

The CEO also issued a statement: “I sincerely apologise to customers who have trusted and used SK Telecom and to society for the great inconvenience and concern we have caused. We will implement additional measures to provide free SIM card replacement to all SK Telecom customers if they so desire.”

Many customers did so desire. The initial rush soon led to shortages of replacement cards at SKT’s retail outlets and that, in turn, led to another bout of frustration and anger amongst SKT’s customers. 

To further allay the fear, uncertainty and doubt, the company is actively encouraging the use of its ‘SIM protection service’ to engender trust while it desperately tries to fulfil demand for the new SIMs: SKT claims it registered more than 2 million new subscribers to the protection service between 22 April and 24 April.

According to the CEO, “SK Telecom places the highest priority on customer trust, and we will further strengthen our security system and establish measures to strengthen the protection of customer information.” He added, “Through this incident, we will once again be reborn as a company that is faithful to the basics and responsible.”

That’s going to be a tough task, with rival service providers certain to appeal to SKT’s customers and with months of customer appeasement ahead. For the past couple of years, SKT has made the headlines with its AI strategy but now, at least in the short term, it is on the back foot. 

 – Ian Scales, Contributing Editor, TelecomTV